justdoitfandomcom-20200213-history
VPN
=VPN Overview= EZVPN Server Client Configuration AAA Standard Configuration aaa new-model aaa authentication login EZVPN local aaa authorization network EZVPN local ! username USERFORVPN password PASSFORVPN ! crypto map VPN isakmp authorization list EZVPN crypto map VPN client authentication list EZVPN Client Standard Configuration ip local pool VPN_USER_POOL 192.168.1.2 192.168.1.10 crypto isakmp client configuration address-pool local EZVPN ! ip access-list extended SPLIT_TUNNEL_ROUTES permit ip host 150.1.1.1 any ! crypto isakmp client configuration group EZVPN key CISCO pool VPN_USER_POOL acl SPLIT_TUNNEL_ROUTES After the AAA & Client configuration is complete or figured out, there are 3 options for creating the ISAKMP/IPSEC connections. OPTION 1: Crypto Map crypto isakmp policy 100 authentication pre-share encryption 3des hash md5 group 2 ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac ! crypto dynamic-map EZVPN_DYNAMIC 100 set transform-set 3DES_MD5 reverse-route ! crypto map VPN isakmp authorization list EZVPN crypto map VPN client authentication list EZVPN crypto map VPN client configuration address respond crypto map VPN 100 ipsec-isakmp dynamic EZVPN_DYNAMIC ! interface GigabitEthernet0/0 crypto map VPN OPTION 2: Crypto Profile crypto isakmp policy 100 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp profile CRYPTO_MAP match identity group EZVPN client authentication list EZVPN isakmp authorization list EZVPN client configuration address respond client configuration group EZVPN ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac ! crypto dynamic-map EZVPN_DYNAMIC 100 set isakmp-profile CRYPTO_MAP set transform-set 3DES_MD5 reverse-route ! crypto map VPN 100 ipsec-isakmp dynamic EZVPN_DYNAMIC ! interface GigabitEthernet0/0 crypto map VPN OPTION 3: DVTI & PSK crypto isakmp policy 100 authentication pre-share encryption 3des hash md5 group 2 ! crypto isakmp profile CRYPTO_MAP match identity group EZVPN client authentication list EZVPN isakmp authorization list EZVPN client configuration address respond client configuration group EZVPN virtual-template 1 ! crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac ! crypto ipsec profile EZVPN set isakmp-profile CRYPTO_MAP set transform-set 3DES_MD5 set reverse-route tag 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile EZVPN Remote Client Mode ip http server ! ip access-list extended EZVPN_TRAFFIC permit ip 136.1.100.0 0.0.0.255 host 150.1.1.1 ! crypto ipsec client ezvpn EZVPN_CLIENT group EZVPN key CISCO connect acl EZVPN_TRAFFIC mode client peer 136.1.18.1 xauth userid mode http-intercept ! interface FastEthernet0/1 crypto ipsec client ezvpn EZVPN_CLIENT inside ! interface FastEthernet0/0.38 crypto ipsec client ezvpn EZVPN_CLIENT outside NEM Plus =Elements of IPSec VPN= *RFC 4301 **IKE v1/v2 ***IKE V1 - RFC 2408 - has two phases ***IKE V2 - RFC 4306 - has 2-5 messages in a basic exchange and no concept of phases. Instead it creates Parent SA's and then Child SAs. **AH ***IP Protocol 51 **ESP ***RFC 4303 ***IP Protocol 50 =Elements of SSL VPN= *Developed in 1994 by Netscape *IETF enhanced and renamed TLS *Desinged to authenticate the server to the client using X.509 certificates *Optionally authenticate the client to the server *Select Crypto Algorithms *Establish a Protected Tunnel Cisco AnyConnect 3.0 *Deploy from ASA or from SMS (software management system) *Customizable and translatable *Built with modules: **Networks Access Manager **Posture Assessment **Telemetry (IronPort) **Web Security (IronPort) **DART (Diagnostic and Reporting Tool) **SBL (Start Before Login) *Support via IKEv2 and considered to be an "all-in-one" VPN client solution ASA VPN Capabilities Feature Interaction *Cisco ASA security appliance uses a stateful packet filtering engine that supports AIC which may effect VPN traffic. *Network traffic crossing the firewall is controlled using many methods that can also interact with the VPN connectivity: **Interface security levels **IP routing **Interface ACLs and Global ACLs. **Service policies (configured through Cisco MPF) **Security service modules **Optionally, NAT **DNS VPN - L2L ASA to IOS Router IKEv1 Phase 1 - Main mode 6 and Aggressive mode 3 On the ASA crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 group 2 hash sha tunnel-group 12.1.12.3 type ipsec-l2l tunnel-group 12.1.12.3 ipsec-attributes ikev1 pre-shared-key keykey On the Router crypto isakmp policy 10 authentication pre-share encryption aes 256 group 2 hash sha crypto isakmp key 0 keykey address 12.1.12.4 IKEv1 Phase 2 - Proxy ID exchange, Tunnel ESP Header mode & Transport mode with quick 3 On the ASA crypto ipsec ikev1 transform-set T-set_to_Router esp-aes-256 esp-md5-hmac access-list VPN_TO_ROUTER extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0 On the Router crypto ipsec transform-set T-set_to_ASA esp-aes 256 esp-md5-hmac ip access-list extended VPN_TO_ASA permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0 Crypto Map and Interface Assignment On the ASA crypto map VPN 10 match address VPN_TO_ROUTER crypto map VPN 10 set peer 12.1.12.3 crypto map VPN 10 set transform-set T-set_to_Router crypto map VPN interface outside sysopt connection permit-vpn On the Router crypto map VPN 10 ipsec-isakmp match address VPN_TO_ASA set transform-set T-set_to_ASA set peer 12.1.12.4 interface fa0/0 crypto map VPN VPN commands for the ASA crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 group 2 hash sha tunnel-group 12.1.12.3 type ipsec-l2l tunnel-group 12.1.12.3 ipsec-attributes ikev1 pre-shared-key keykey crypto ipsec ikev1 transform-set T-set_to_Router esp-aes-256 esp-md5-hmac access-list VPN_TO_ROUTER extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0 crypto map VPN 10 match address VPN_TO_ROUTER crypto map VPN 10 set peer 12.1.12.3 crypto map VPN 10 set transform-set T-set_to_Router crypto map VPN interface outside sysopt connection permit-vpn VPN commands for the Router crypto isakmp policy 10 authentication pre-share encryption aes 256 group 2 hash sha crypto isakmp key 0 keykey address 12.1.12.4 crypto ipsec transform-set T-set_to_ASA esp-aes 256 esp-md5-hmac ip access-list extended VPN_TO_ASA permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0 crypto map VPN 10 ipsec-isakmp match address VPN_TO_ASA set transform-set T-set_to_ASA set peer 12.1.12.4 interface fa0/0 crypto map VPN crypto isakmp policy 10 encryption 3des authentication pre-share hash md5 group 2 ! crypto isakmp key cisco address 1.1.1.1 ! crypto ipsec transform-set T_SET esp-3des esp-md5-hmac ! ip access-list extended VLAN2_TO_VLAN3 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255 ! crypto map VPN ipsec-isakmp set peer 1.1.1.1 set transform-set T_SET match address ! interface fa 0/0 crypto map VPN =PKI Architecture= Peer Authentication *How do we authenticate a peer in a VPN connection? **Pre-shared keys **Digital Certificates What PKI Provides *PKI provides a stronger peer authentication as compared to weak pre-shared keys *New issues arise when we use a PKI infrastructure **Peers need the public key of the other site before it works ***How do we exchange those keys? ***How do we trust the information that was exchanged? How Keys are Used *In a key-pair we have a public and a private key *Nobody gets my private key, but if you have my public key you can verify something I have signed with my private key (Authentication) *If you encrypt something with a public key, only my private key can reverse that process (Encryption) Manual Key Exchange *We exchange public keys, then call each other and read back the fingerprint *Not scalable In Terms of Life *If I know Bob and Bob knows you, he might introduce us and we may trust each other because we trusted the introducer *This is the start of the PKI concept *The CA Server is Bob *We both trust the CA *This makes it more scalable **The CA is the central trusted introducer **The CA signs everyone's public key with its private key **So to read the signature we need the public key of the CA (Authentication) **The signed public keys are called Identity Certificates **These ID Certs can be revoked On the ASA *We can install an identity cert on the ASA **Cert can be self signed or obtained from a CA **The default cert is regenerated every time the ASA boots so don't save it *When enrolling with a CA Server we can use a manual enrollment or use the Simple Certificate Enrollment Protocol (SCEP) CA Servers *The CA Server you choose may vary as there are many available **Microsoft has a CA built into Windows Server **The ASA can act as a CA Server **A Cisco IOS router can act as a CA Server **You may have to pay for the CA **Some are subscription based On the Client *The client can enroll with a CA in the following ways: **Using the ASA as a CA server **Using an external CA server **Using a CA server behind the ASA with ACLs allowing enrollment **Using a CA server behnd the ASA with SCEP proxy Enroll ASA to CA Server Enable ASDM access from the inside http server enable http 0 0 inside Configuration > Device Management > Certificate Management > CA Certificates '''ACTIVITY: Install CA cert on ASA =VPN Setup= ipsec-remote-access Display IPSec Remote Access Configuration Commands l2tp-remote-access Display L2TP/IPSec Configuration Commands site-to-site Display IPSec Site-to-Site Configuration Commands ssl-remote-access Display SSL Remote Access Configuration Commands =L2L VPN Doodles= OSPF over IPsec You can't send multicast traffic over the IPsec tunnel so therefore you must statically assign neighbors to make the updates unicast. interface X/X ospf network point-to-point non-broadcast router ospf 1 network x.x.x.x y.y.y.y area 0 neighbor x.x.x.x interface X Reverse Route Injection This installs the routes into the routing protocol for peers to pick up across the IPsec tunnel. When you see the static route in the firewall, redistribute the static routes into the routing protocol. You will then have a route to the hosts on the other side of the VPN tunnel on your local routers through the routing protocol. crypto map CRYPTOMAP 1 set reverse-route router ospf X redistribute static subnets NAT Traversal NAT-T is on by default. crypto isakmp nat-traversal 30 - NAT-T keepalives over UDP 4500 crypto map CRYPTOMAP 1 set nat-t-disable - disables NAT-T (on by default) Tunnel Default Gateway You can create a default route for traffic that has been brought over from the tunnel but the return traffic does not have a route back. This will default the traffic over the tunnel interface back to the source. So the tunnel default gateway is used to route packets if they reach the security appliance over an IPsec tunnel and if their destination IP address is not found in the routing table. route INTERFACE 0.0.0.0 0.0.0.0 NEXT-HOP tunneled Management Access You can't manage the firewall through an IPsec VPN so you should modify that behavior with the following command: management-access inside Perfect Forward Secrecy You can optionally generate new keys in IPsec Phase2 with various group level encryption. crypto map CRYPTOMAP 1 set pfs groupX Security Association Lifetimes Assign the amount of time for the negotiation of a new pair of data encryption keys. Globally: crypto ipsec security-association lifetime kilobytes 5000 seconds 600 Per VPN crypto map CRYPTOMAP 1 set security-association lifetime kilobytes 2500000 seconds 14400 Phase 1 Mode The ASA responds to main or aggressive according to the type of packet the initiator sends first. You can enable or disable initiator and responder options via crypto maps. crypto map CRYPTOMAP 1 set ikev1 phase1-mode main or crypto map CRYPTOMAP 1 set ikev1 phase1-mode aggressive groupX Connection Type More on the Phase 1 Mode, you can make the firewall an initiator only or responder only for VPN tunnels. crypto map CRYPTOMAP 1 set connection-type answer-only crypto map CRYPTOMAP 1 set connection-type originate-only crypto map CRYPTOMAP 1 set connection-type bidirectional ISAKMP Keepalives The keepalives is a way to determine whether the remote VPN peer is still reachable or if there are any lingering SAs. If the ASA stops receiving encrypted packets it sends DPD R_U_THERE packets. If it does not receive a DPD R_U_THERE_ACK packet, the ASA drops the SA. tunnel-group x.x.x.x ipsec-attributes isakmp keepalive threshold 30 retry 3 If a vendor does not understand the keepalive isakmp keepalive disable IPSec and Packet Fragmentation Most of the time packets are fragmented after encryption which kills the CPU of the other end because they have to decrypt AND defragment the packet. Because of this you will want to fragment first and then encrypt so that the end host is responsible for defragmentation. Problems also arise with the DF bit set in the packet which causes the ASA to drop the packets it they are too big. Fragment BEFORE encryption: crypto ipsec fragmentation before-encryption INTERFACE Clear the DF bit: crypto ipsec df-bit clear-df INTERFACE =L2L VPN Troubleshooting= Show Commands Phase 1 show crypto isakmp sa detail Successful negotiations show MM_ACTIVE Phase 2 show crypto ipsec sa To look at the packet statistics from the accelerator: show crypto accelerator statistics Show current VPN sessions: show vpn-sessiondb summary Debug Commands Phase 1 debug crypto isakmp level 1-255 (255 is most specific and will show more output, 127 will give you most of the information) Phase 2 debug crypto ipsec level 1-255 (255 is most specific and will show more output, 127 will give you most of the information) If you have a lot of tunnels the output can be dangerous. Filter with debug conditions: ciscoasa# debug crypto condition ? error Display debug error messages regardless of filters group Filter on a group name peer Filter on a peer address or subnet reset Clear the crypto debug filters spi Filter on an IPSec SPI unmatched Display messages with insufficient context to match a filter user Filter on a user name ISAKMP Captures You can create a pcap on the firewall that is saved to the buffer space for in-depth troublshooting. This creates a file called 'VPNPCAP' in the buffer space: capture VPNPCAP type isakmp ikev1 interface outside To see the capture: show capture VPNPCAP decode =Remote Access VPN (EZVPN)= AGGRESSIVE MODE for pre-shared keys MAIN MODE for PKI TUNNEL MODE always used for Remote Access VPNs IKEv2 AnyConnect *RA VPN with IKEv1 uses legacy Cisco ISec client - ISAKMP used for negotiation *RA VPN with IKEv2 uses Cisco AnyConnect client - still uses SSL VPN for profile updates etc... *Cisco's direction is the use of IKEv2 IKEv2 policies are modified in the 'AnyConnect Connection Profiles' and not the 'IPsec(IKEv1) Connection Profiles.' Connection Sequence #Phase 1 Negotiations - ISAKMP polices #X-Auth Request - configured user database authentication #X-Auth Response #Mode-config Request - sends IP address, DNS, WINS, etc. #Mode-config Response #Phase 2 Negotiations - IPSec IPSec vs. L2TP over IPSec L2PT is pre-installed on most Windows operating systems, uses UDP port 1701 for data encapsulation and then in ESP protocol 50. Unlike Cisco IPSec, L2Tp over IPSec provides user-level authentication using PPP authentication protocols and not group and user level authentication as with Cisco IPSec. IPSec Remote-Access VPN Configuration Steps #Enable ISAKMP #Create ISAKMP policy #Set up tunnel and group policies #Define IPSec policy #Configure user authentication #Assign an IP address #Create a crypto map #Configure traffic filtering (optional) #Bypass NAT (optional) #Set up split tuneling (optional) #Define DNS and WINS addresses (optional) crypto isakmp enable outside - tells outside interface to listen to UDP 500 IKEv1 packets crypto isakmp policy 1 - defines the phase 1 security associations authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 group-policy RA_VPN internal group-policy RA_VPN attributes vpn-tunnel-protocol IPSec tunnel-group RA_TUNNEL_GROUP type remote-access tunnel-group RA_TUNNEL_GROUP general-attributes default-group-policy RA_VPN tunnel-group RA_TUNNEL_GROUP ipsec-attributes ikev1 pre-shared-key cisco123 crypto ipsec ikev1 transform-set RA_TRANSFORM_SET esp-aes-256 esp-sha-hmac username ccieuser password cisco123 username adminuser password admin123 or aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 192.168.1.100 key cisco123 tunnel-group RA_TUNNEL_GROUP general-attributes authentication-server-group RADIUS ip local pool DHCP_POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0 group-policy RA_VPN attributes address-pools value DHCP_POOL or vpn-addr-assign dhcp tunnel-group RA_VPN general-attributes dhcp-server 192.168.1.10 crypto dynamic-map RA_VPN_CRYPTOCHRONIC 100 set ikev1 transform-set RA_TRANSFORM_SET crypto map RA_CRYPTO_MAP Cisco Example interface ethernet0 ip address 10.10.4.200 255.255.0.0 nameif outside no shutdown isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 43200 isakmp enable outside ip local pool testpool 192.168.0.10-192.168.0.15 username testuser password 12345678 crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac tunnel-group testgroup type ipsec-ra tunnel-group testgroup general-attributes address-pool testpool tunnel-group testgroup ipsec-attributes pre-shared-key 44kkaol59636jnfx Remote Access VPN Filtering Just like the L2L filtering technique, you can use the following command: no sysopt connection permit-vpn This will take the traffic inherently trusted by the VPN and inspect it by running it through the ACLs on the interface. This is, however a global command and will affect all traffic traversing the VPNs. If you want to keep the inspection to only one tunnel on Remote Access, enable the inspection in the group-policy. access-list GROUP_POLICY_ACL extended permit tcp 192.168.50.0 255.255.255.0 192.168.10.10 255.255.255.0 eq telnet group-policy RA_VPN_POLICY attributes vpn-filter value GROUP_POLICY_ACL Bypass NAT You can enable Nat Exemption for traffic crossing the VPN. This is traffic you do NOT wanted translated by NAT. Split Tunneling When you don't want all of the traffic of the end host going over the VPN, you can enable split tunneling to send only the traffic that needs to go over the tunnel through the VPN connection. There are three types of split tunneling: *Tunnel all traffic (no split tunneling) *Default split-tunnel-policy tunnelall *Tunnel specific networks (split tunneling) split-tunnel-policy tunnelspecified *Tunnel all but specific networks (exclude split tunneling) split-tunnel-policy excludespecified To enable split tunneling, create an ACL for traffic you want tunneled and assign that ACL to the group policy. access-list SPLIT_TUNNEL_ACL standard permit 192.168.10.0 255.255.255.0 group-policy RA_GROUP_POLICY attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL_ACL Assign DNS and WINS You can assign the clients a DNS and WINS server through the group-policy. group-policy RA_GROUP_POLICY attributes wins-server value 192.168.10.20 192.168.10.10 dns-server value 192.168.10.10 192.168.10.20 default-domain value ra.vpn.com Connection Modes There are two connection modes for the hardware ASA client: Client Mode (PAT) and Network Extension Mode (NEM). Client Mode simply NATs all of the internal networks to the corporate site under one IP address. For example, the firewall is the client with 100 hosts behind it but the corporate network only sees the firewall's IP address a it NATs the 100 clients' connections with PAT. Network Extension Mode is much like a normal site-to-site tunnel in that the hosts on either side know the IP address of each other. In this mode, the client MUST initiate the IPsec tunnel. When configuring the EZVPN ASA client, use the vpnclient commands. (THIS ONLY WORKS ON THE 5505. There is no 5505 on the CCIE exam so not much will be said here). Transparent Tunneling [http://justdoit.wikia.com/wiki/VPN#NAT_Traversal NAT Traversal] IPsec over UDP Used to encapsulate the ESP packets using a UDP wrapper. If the VPN clients do not support NAT-T and are behind a firewall that does not allow ESP packets to pass through, you can enable IPsec over UDP which still uses UDP port 500. The ASA can then specify the UDP port on which to continue data communication. group-policy RA_GROUP_POLICY attributes ipsec-udp enable ipsec-udp-port 10000 IPsec over TCP Use IPsec over TCP when UDP 500 is blocked, ESP protocol 50 is not allowed or if you prefer connection-oriented protocols. Instead of UDP IPsec over TCP uses a predefined TCP port to establish a VPN connection. Simply specify the port in global config: isakmp ipsec-over-tcp port 10000 To verify this configuration with VPN clients connected: show crypto ipsec sa | inc settings IPsec Hairpinning (U-Turn) If you have clients on one VPN that need to talk to another VPN and those VPNs terminate on the same interface, you need to allow this traffic that is blocked by default. same-security-traffic permit intra-interface Client U-Turn If you need clients to access the internet because there is no split-tunneling policy, you will need to allow them to be NAT'd out to the internet. The clients connect through the tunnel, are routed out of the outside interface but they still have their private IP address so we'll have to create a NAT rule. same-security-traffic permit intra-interface ip local pool IP-Pool 192.168.50.1-192.168.50.254 nat (outside) 1 209.165.200.230 gloal (outside) 1 209.165.200.230 VPN Load Balancing The load balancing the cluster master owns the virtual IP address which is used by the clients to connect. When the clients connect to the virtual IP, the master determines which ASA has the least load and redirects the client to connect to that ASA. *Load balancing is not supported on L2TP over IPsec tunnels and IPsec site-to-site tunnels. vpn load-balancing interface lbpublic outside interface lbprivate inside cluster encryption cluster ip address 144.1.1.254 cluster key cisco123 cluster port 25000 priority 6 participate The above configuration configures the interface for the outside load balancing as well as the inside encryption. The reason that we have to enable the lbpublic outside is to tell the firewall where to terminate the incoming VPN connections. The inside lbprivate interface is for the encryption of load-balancing management data between the firewalls. Obviously the cluster IP is the listening IP along with the cluster port and the priority tells which neighbor is the load-balancing master. Client Firewalling The VPN client firewall protects the corporate network by denying outside packets through the VPN. During split-tunneling there is a risk that outside connections could be made through the client and to the inside encrypted network. To prevent this, the VPN client firewall does not allow outside connections through the VPN. Keepalives are sent to the personal firewall and if it is not on, the VPN does not establish and if the VPN was previously established and the firewall is turned off then the keepalives timeout and drop the VPN as a result. This is only for windows clients. There are three modes for Client Firewall checking. *No Firewall - the check is disabled, useful for Linux or MAC users *Firewall Optional - the VPN checks but does not disable the VPN is the firewall is not on *Firewall Required - self explanatory Sending a Policy Firewall to the Client You can send a firewall ACL policy to the client and they are applied to the client from the prospective of the client. These ACLs are to keep the client from accessing other internal devices within the corporate network. The split-tunneling is standard ACL filtering so this sends extended policies to the client firewall for more granular control. access-list CLIENT_POLICY_FW_INBOUND extended permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list CLIENT_POLICY_FW_INBOUND extended permit udp host 192.168.101.1 eq 53 192.168.50.0 255.255.255.0 access-list CLIENT_POLICY_FW_OUTBOUND extended permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list CLIENT_POLICY_FW_OUTBOUND extended permit udp 192.168.50.0 255.255.255.0 host 192.168.101.1 eq 53 group-policy RA_GROUP_POLICY attributes client-firewall req cisco-integrated acl-in CLIENT_POLICY_FW_INBOUND acl-out CLIENT_POLICY_FW_OUTBOUND Hardware-Based Easy VPN Client Features Interactive Client Authentication This does not allow the VPN client machine to cache user credentials. group-policy RA_GROUP_POLICY attributes secure-unit-authentication enable Individual User Authentication The user must authenticate on a web-form before accessing any resources. Also, if the user is not active you can configure an idle value in which case the firewall terminates the connection and authentication must happen again. group-policy RA_GROUP_POLICY attributes user-authentication enable user-authentication-idle-timeout 60 LEAP Bypass This feature allows LEAP packets to cross the VPN tunnel when hardware client authentication is configured. group-policy RA_GROUP_POLICY attributes leap-bypass enable *Only works with Cisco Aironet APs Cisco IP Phone Bypass This option will not try to authenticate the IP phone and send traffic through the tunnel. Network Extension Mode must be in use for this to work. group-policy RA_GROUP_POLICY attributes ip-phone-bypass enable Hardware Client Network Extension Mode Instead of the whole ASA appliance being in NEM mode, a host can choose NEM mode when the firewall is in client mode. group-policy RA_GROUP_POLICY attributes nem enable =L2TP Over IPsec Remote Access VPN= L2TP is used on windows machines inherently for VPNs but are insecure so the ASA and client uses IPsec to encrypt the data. #User connects to internet via PPP and gets IP #User launches L2TP program #User initiates Phase 1 #User initiates Phase 2 #After IPsec the client initiates L2TP tunnel #PPP tunnel initiation is negotiated #L2TP packets are sent that are encrypted by IPsec